This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

2020 was the year that the California Consumer Privacy Act (CCPA) went into effect, giving Californian consumers—for the first time—the right to take more control over their data.

And though the Act is still in its first year, already millions of Californian consumers started to exercise their CCPA rights: to access their data, to delete their data or to stop the sale of their data to a third party. While it’s true many consumers are still learning how to exercise their CCPA rights, we expect the trend of consumers taking control of their data to continue.

At DataGrail, we’re in the unique position of fulfilling data subject requests (DSRs) for millions of consumers, which gives us unique insights into the number of requests a company can anticipate. We analyzed DSRs processed throughout 2020 across our business-to-consumer (B2C) customers, resulting in a powerful benchmark of what to expect as the CCPA and other privacy regulations start to have a larger impact on how business is done.

This research will help organizations confidently enter the era and help them understand where they stand relative to their peers in the space. It’s early, but we hope these learnings help consumer businesses better prepare for the CCPA, and continuous changes to the regulatory landscape (such as the upcoming CPRA, which takes effect in 2023).

We reference three types of consumer rights requests that are part of the CCPA, often referred to as data subject requests (DSR):

The right to know the data collected. We refer to these as “access requests” or use the common acronym DSAR.

The right to deletion. We refer to these as “deletion requests.”

The right to say no. We refer to these as “do not sell requests” (DNS).

Total Volume of Data Subject Requests (DSRs)

In January 2020, we saw a big bump in the number of DSRs submitted across our customer base, which correlated with customers updating privacy policies to comply with the CCPA. The CCPA Trends Report we published in June suggested that B2C brands should expect approximately 13 DSRs per month per million identities. However, when we look at the data across the entire calendar year, the number stabilizes around 11 DSRs per month per million identities (Figure 2). In total, the average B2C company received 137 DSRs per million identities in 2020.

Gartner data shows businesses that manually process data subject requests on average spend $1,406 per request. At this rate, B2C organizations who manually processed DSRs, spent approximately $192,000 per million identities in 2020 to process and fulfill data subject requests. In Figure 2 we see the average number of DNS requests stabilize around five requests per million identities. DSARs and deletion requests each sit around three requests per million identities.

Organizations who manually processed DSRs, spent approximately $192,000 per million identities in 2020 to process and fulfill data subject requests.

This data is useful for extrapolating out to an industry average, as seen in Figure 3. As an example, a company with 8 million consumer identities should expect just over 1,000 DSRs per year. However, within the industry average, we saw some brands that trended much higher or lower than the average.

It’s hard to pinpoint exactly what triggers more DSRs, but it’s likely a combination of factors:

  1. Requesting that consumers submit requests via email vs. using a form. Email requests typically result in more spam requests.
  2. Sending out frequent privacy policy updates
  3. Frequently sending email campaigns that aren’t relevant to the customer’s interests

Requests by Type: Access (DSAR), Deletion, Do-Not-Sell

In Figure 5, we see do-not-sell (DNS) requests are still the most popular type of requests submitted by consumers in 2020, with the average B2C companies receiving 63 DNS requests per million identities. This is likely due to:

Many websites include a pop-up giving consumers the ability to opt out of their data being sold to a third party.
Consumers are increasingly aware of how their data is used online, and have more aggressively sought out ways to limit their data being sold.

In fact, consumers are twice as likely to exercise their right to opt-out versus requesting access to the personal data a company has stored on them.

Tracking DSRs over time, we see that the number of requests fluctuates month to month, with the summer months coming in with the fewest requests when compared to other months of the year. In June, we saw a spike in deletion requests, but it’s unclear as to why. One hypothesis is that many organizations refreshed their privacy policies in advance of the July 1st, 2020 CCPA enforcement date, triggering another round of deletion requests.

Data Subject Requests Verification

Fraud and spam are top concerns for organizations when they start to consider how to best process DSRs. To ensure no data ends up in the wrong hands, the CCPA requires that businesses use various methods to verify and authenticate the person is who they claim to be. DataGrail’s Smart Verification technology uses existing data associated with the individual’s identity, such as purchase history or user behaviors (e.g. games played, purchases, or products viewed) to securely validate the individual’s identity. This is a preferred method, rather than asking a consumer to submit more personal data (like a government ID), which goes against the spirit of CCPA.

The number of unverified requests changes dramatically depending on the customer’s intake method for

With Smart Verification, we were able to see that nearly 50% of DSRs went unverified in 2020, and of that most unverified requests are spam. Upon closer inspection, we found that the number of unverified requests changes dramatically depending on the customer’s intake method for DSRs.

Organizations who use a form and have a CAPTCHA tend to have significantly less unverified requests than organizations that ask customers to make a request via email.


Looking back on 2020 we see that DataGrail’s mid-year predictions tracked closely to where we ended the year.

DSRs are stabilizing around 11 DSRS per million identities each month, with DNS being the most popular request. A lack of end-to-end privacy automation is starting to cost businesses, with expected costs north of $190K per million identities annually.

Consumers have embraced CCPA, and we expect we’ll see an increase of DSR requests in 2021 as privacy issues continue to dominate the headlines. At the time of publishing this report in March 2021, the news of Apple and Facebook’s feud over a new privacy feature in Apple’s upcoming iOS update is driving more awareness. Apple’s new App Tracking Transparency feature informs people head on with what’s happening to their personal data. By adding a pop-up in apps, Apple is forcing a conversation about privacy that was previously tucked away in privacy policies and T&Cs. Consumers will finally be asked—at the right time—how they want their personal data handled.

But just because consumers are asking for more control, doesn’t mean businesses need to be on the defense. It would be easy for businesses to approach this privacy-focused era with concerns about how it will impact profit margins, yet we are seeing that brands who lean into privacy can win. According to a study from Cisco, “Most organizations are seeing very positive returns on their privacy investments, and more than 40% are seeing benefits at least twice that of their privacy spend.”

A great first step is simplifying a privacy policy with language the average person can understand.

To achieve these returns, companies should take steps to integrate privacy into their overall business. A great first step is simplifying a privacy policy with language the average person can understand. Privacy requires cross-functional teams hashing through the details of what’s collected, why, and how it’s used and stored. Often these aren’t fun conversations because there are competing priorities across the organization.

That’s where strong leadership and an organization-wide understanding of a company’s approach to privacy are critical. More and more, we see leading brands, many of them DataGrail customers, centralizing privacy programs to ensure privacy mandates are woven throughout the fabric of the entire organization. Without that, employee and customer trust can be lost. But companies that proactively embrace privacy to add value to their brands and build trust with their customers will be the undisputed winners of this new era.


DataGrail analyzed the data subject requests it helped process on behalf of select business-to-consumer customers with a substantial volume of privacy requests in the period January 1 to December 31st, 2020. This customer set had more than sixteen million consumer identities, where a “consumer identity” is defined as a single, individual identity associated with a unique email address within a customer’s database. To determine the cost of manually processing requests, we used Gartner’s estimate that manually processing a single request costs $1,406. Gartner published this statistic after releasing details from its 2019 Gartner Security and Risk Survey in February 2020.

Want to know more?
Download the full report

Download report